Custom RBAC - Can I Do That?

•Download as PPTX, PDF•

0 likes•506 views

Matthew Edmonds and Lance Bragstad discuss the advantages and disadvantages of implementing custom Role Based Access Control in OpenStack today. This presentation also includes plans for improving RBAC experience in OpenStack.

Software

Matthew Edmonds (edmondsw)
Lance Bragstad (lbragstad)
Custom RBAC
Can I do that?

What is RBAC?
How does OpenStack implement RBAC?
Customizing RBAC in your deployment
The future of access control

RBAC is a method of regulating access to an object
based on the roles of individual users

What is RBAC?
Permissions are attached to predefined roles
Roles are assigned to users or groups
Roles are evaluated with request context

How does OpenStack implement RBAC?
Attaching permissions to roles
Assigning roles to users
Evaluating requests

"identity:create_service": "role:manager"

$policy.DocumentedRuleDefault( name='identity:create_service', check_str='role:manager', description='Create service', operations=[{'method': 'POST','path': '/v3/services'}] )$

openstack role add
--project development
--user alice
manager

Customizing RBAC in your deployment
Finding policy settings
Policy syntax
Choosing which role to customize
Selecting which policy to customize

Usually in /etc/<service>/policy.json
Could be a yaml file
CONF.oslo_policy.policy_file
CONF.oslo_policy.policy_dirs

oslopolicy-sample-generator
--namespace <service>
--output-file policy-sample.yaml
oslopolicy-policy-generator
--namespace <service>
--output-file policy-merged.yaml

"!" # none
"@" # any
"" # any
"<context_attr>:<target_attr>" # match

"(...)" # grouping
"not ..." # logical NOT
"... and ..." # logical AND
"... or ..." # logical OR

admin # everywhere
Issues:
1. Hardcoded admin checks
2. Can operate outside assigned scope

_member_ # keystone
Member # horizon
Issues:
1. Implemented as a catch-all

service # keystone
ResellerAdmin # swift

service # keystone
ResellerAdmin # swift
Issues:
1. Qualify as “member”
2. ResellerAdmin permissions are hardcoded

<your_thing> # do whatcha wanna do
Issues:
1. Qualify as “member”
2. Hardcoded admin checks

Read the description (if available)
Check the code
Take a guess

Multiple APIs can be protected with one policy
One API can be protected with multiple policies
One API can call another API

$PUT /v3/roles/{prior_role_id}/implies/{implies_role_id}$

Registering defaults
Documenting policies
Deprecating policies
Granular and consistent policy names
Implementing system-scoped tokens
Associating scope to policies
Service tokens
Defining default roles

https://goo.gl/B2QpYf
https://goo.gl/dkV8Pn

Similar to Custom RBAC - Can I Do That?

Introduction to MongoDB

Justin Smestad

resource governor

Aaron Shilo

CloudBrew 2018 - Azure Governance

Tom Janetscheck

LeVan, "Search Web Services"

National Information Standards Organization (NISO)

AEM Sightly Deep Dive

Gabriel Walt

Windsor AWS UG Deep dive IAM 2 - no json101

Goran Karmisevic

Azure Governance for Enterprise

Mohit Chhabra

SCR Annotations for Fun and Profit

Mike Pfaff

IaaS with ARM templates for Azure

Christoffer Noring

Introduction to Azure Resource Manager, Global Azure Bootcamp 2016.04

Lukasz Kaluzny

Webinar slides: Getting started with Azure Resource Graph

ShareGate

AWS Cloud Kata 2014 | Jakarta - Startup Best Practices

Amazon Web Services

Running Elasticsearch often requires specialized expertise and significant resources to operate and manage infrastructure and Elasticsearch software. Amazon Elasticsearch Service makes it easy to deploy, operate, and scale Elasticsearch in AWS. In this webinar, we will walk through how to launch a fully functional Amazon Elasticsearch domain, load your data, and analyze it using the built-in Kibana integration. We will also cover the CloudWatch Logs integration, which enables you to have your log data, such as VPC logs, automatically loaded into your Amazon Elasticsearch domain for analysis and exploration.

AWS October Webinar Series - Introducing Amazon Elasticsearch Service

Amazon Web Services

[2D1]Elasticsearch 성능 최적화

NAVER D2

[2 d1] elasticsearch 성능 최적화

Henry Jeong

Dev confus.2020 compliance operator

jaormx

Qui Quaerit, Reperit. AWS Elasticsearch in Action

GlobalLogic Ukraine

2011-02-03 LA RubyConf Rails3 TDD Workshop

Wolfram Arnold

Presentation

Arnold Stellio

Ansible is a Configuration Management System that is very simple to use, because of its straightforward and robust model for managing automation and it’s low barrier to entry for ease of use in both development and production. During OpenStack development, Ansible can be used in conjunction with Vagrant and Devstack to manage complex, multi-node development environments with relative ease. In this presentation, Juergen Brendel and David Lapsley review Ansible and provide some sample playbooks to get developers up and running quickly. They also describes how to use Ansible, Vagrant, Devstack, and OpenStack to accelerate OpenStack development cycles.

Learn you some Ansible for great good!

David Lapsley

Similar to Custom RBAC - Can I Do That? (20)

Introduction to MongoDB

resource governor

CloudBrew 2018 - Azure Governance

LeVan, "Search Web Services"

AEM Sightly Deep Dive

Windsor AWS UG Deep dive IAM 2 - no json101

Azure Governance for Enterprise

SCR Annotations for Fun and Profit

IaaS with ARM templates for Azure

Introduction to Azure Resource Manager, Global Azure Bootcamp 2016.04

Webinar slides: Getting started with Azure Resource Graph

AWS Cloud Kata 2014 | Jakarta - Startup Best Practices

AWS October Webinar Series - Introducing Amazon Elasticsearch Service

[2D1]Elasticsearch 성능 최적화

[2 d1] elasticsearch 성능 최적화

Dev confus.2020 compliance operator

Qui Quaerit, Reperit. AWS Elasticsearch in Action

2011-02-03 LA RubyConf Rails3 TDD Workshop

Presentation

Learn you some Ansible for great good!

More from Lance Bragstad

Keystone has had multiple Token formats in the past. With JSON Web Signatures (JWS) we introduce yet another one. It turns out that there are several reasons, including lessons learned from previous token formats like PKI and Fernet. In this talk, we discuss what tokens mean for distributed computing. We will focus on how the different token formats provide trade-offs in performance and scalability. Then we will discuss the JWS format, how it works, and what benefits it provides. We'll close with a look at the future and the features we can build on top of JWS.

Keystone JWS Tokens: Past, Present, and Future

Lance Bragstad

OpenStack Summit Berlin - Keystone Project On-boarding

Lance Bragstad

Unified Limits in OpenStack

Lance Bragstad

OpenStack Keystone Stein Project Update

Lance Bragstad

OpenStack Keystone Rocky Project Update

Lance Bragstad

OpenStack Keystone Queens Project Update

Lance Bragstad

Fernet tokens: newton summit

Lance Bragstad

OpenStack Keystone Pike Project Update

Lance Bragstad

Keystone Project Onboarding

Lance Bragstad

More from Lance Bragstad (9)

Keystone JWS Tokens: Past, Present, and Future

OpenStack Summit Berlin - Keystone Project On-boarding

Unified Limits in OpenStack

OpenStack Keystone Stein Project Update

OpenStack Keystone Rocky Project Update

OpenStack Keystone Queens Project Update

Fernet tokens: newton summit

OpenStack Keystone Pike Project Update

Keystone Project Onboarding

Recently uploaded

Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic near me by a powerful astrologer and spell caster in Atlanta. Bring back your lover with Asaf's voodoo-love witchcraft. Psychic Reading | Astrologer | Spell Caster | Obsession Spells | Black Magic | Witchcraft | Protection spell | wiccan spells. Black magic expert and voodoo love spells that work overnight to retrieve that love | lost love spell caster with powerful love psychic reading. Best astrologer & psychic in Sandy Springs, GA to renew your relationship & make your relationship stronger. love spells to bring back the feelings of love for ex-lovers. Increase the intimacy, affection & love between you and your lover using voodoo relationship obsession spells in USA. Money spells, easy love spells with just words, think of me spell, powerful love spell, spells of love, spells that work, love potion to attract a man, easy love spells with just words, pink candle prayer, white magic spells, call me spell, manifestation spell, gay love spells, Commitment spells, business spells and, how to bring back lost love in a relationship, Witchcraft love spells that work immediately to increase love & intimacy in your relationship. Attraction love spells to attract someone, stop a divorce, prevent a breakup & get your ex back. When using love binding spells, there are several things you should know, particularly how to protect yourself from negative energies and how to use the powers of incantations for the good of all people involved. When the focus is love, the results are truly magical. It’s important to remember love is not manipulative, it is not forceful, and it does not bend another to its will. Love is free-flowing, accepting, kind, and generous. For your love spell to work as intended, you must have good intentions in your heart. Below, we share the top five love spells you can use today to shift the energies in your life and create a future filled with love and fulfilment. Obsession spells to Get Your Ex-Lover Back. All women want one thing the most in life to be love and love in return – not much to ask. A lady wants a good man who loves you unconditionally and loyally. You want a man who is honest, hardworking, and loyal – not a complainer or a weakling or a self-centred man. You are a strong, independent, sensual, caring, loving woman. And you don’t think it’s asking too much to want to be with a loving, intelligent man with a good sense of humour and daring, an upright and confident man – who knows who he is. No one wants a chauvinistic and macho man, but you do want someone who will be willing to protect and care for you. Who loves you for you and not some kind of imaginary. You have no doubt that when the right guy appears on your doorstep, you’ll never let him go. But sometimes a man doesn’t realize he has that good woman.

Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...

chiefasafspells

WSO2CON 2024 Slides - Open Source to SaaS

WSO2

WSO2Con204 - Hard Rock Presentation - Keynote

WSO2

We specialize in Psychic Readings, Psychic Love Spells, Binding Love Spells, Obsession Spells, Voodoo Spells, Lottery Spells, Marriage Spells, Black Magic Spells, Palm Readings & much more. Are you depressed? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? Do u need to solve any relationship problem? Contact the powerful spells caster chief kule with love spells that work overnight and love spells that really work. Have you found yourself infatuated with a special someone you think could be the one? Are you looking for a spell to provide them with a nudge in the right direction? Or maybe the spell you cast didn’t achieve the results you were hoping for? Whether you’re new or versed in the ways of spell casting, we’re here to help. Today we’re going to provide you with a detailed guide on the types of love spells to cast. Not only that but there’s something for those who wish to find outside advice from more advanced spell casters. We’re also going to provide you with the top sites available to help you with your dilemma. Let’s begin our journey by educating ourselves on love magic and what a real love caster looks like. Love Magic and Love Casters Love magic made its first appearance back in Ancient Egypt and has been an active practice since. This type of magic is a branch of traditional magic and can be practiced in various ways. Typically the more common use of love magic is through the work of spells, but other methods look like Charms Rituals-LOVE Potions-Dolls and even Amulets If you are interested in becoming a love caster, be prepared for what’s to come. A genuine love caster knows that the art of love casting is no easy feat and shouldn’t be done casually. You should know that not only does it require you to be gifted spiritually, but you must be ready to serve others. Someone who is considered a real love caster has experience in all manner of spells, no matter the difficulty. Training yourself in attraction, commitment, and marriage spells is an excellent place to start. But this by no means will make you a professional. Practice your craft and expand your knowledge; understand that you will possess the ability to help others in time truly. Types of Love Spells What better way to start broadening your experiences with love spells than by learning more about them? These spells work like just about any other spell. Simply apply your intention, use a medium (sigils, mantras, candles, or charm bags), and top it off with establishing the belief that you will receive what you want. So what kind of spells are available and which ones suit your needs the best? Let’s take a look at the many options you have at your disposal. Attraction Spells

%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...

masabamasaba

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...

masabamasaba

Artyushina_Guest lecture_YorkU CS May 2024.pptx

AnnaArtyushina1

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

masabamasaba

+971565801893 Mtp-Kit (500MG) Prices » Dubai [(+971565801893**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Leen Whatsapp +971565801893 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971565801893''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971565801893' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Clinic in Abu Dhabi, United Arab Emirates.+971565801893

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

Health

WSO2CON2024 - It's time to go Platformless

WSO2

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

WSO2

tonesoftg

lanshi9

WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...

WSO2

%in Benoni+277-882-255-28 abortion pills for sale in Benoni

masabamasaba

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

masabamasaba

%in kempton park+277-882-255-28 abortion pills for sale in kempton park

masabamasaba

%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...

masabamasaba

WSO2CON 2024 - Does Open Source Still Matter?

WSO2

%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...

masabamasaba

WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity

WSO2

VTU technical seminar 8Th Sem on Scikit-learn

AmarnathKambale

Recently uploaded (20)

Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...

WSO2CON 2024 Slides - Open Source to SaaS

WSO2Con204 - Hard Rock Presentation - Keynote

%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...

Artyushina_Guest lecture_YorkU CS May 2024.pptx

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

WSO2CON2024 - It's time to go Platformless

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

tonesoftg

WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...

%in Benoni+277-882-255-28 abortion pills for sale in Benoni

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

%in kempton park+277-882-255-28 abortion pills for sale in kempton park

%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...

WSO2CON 2024 - Does Open Source Still Matter?

%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...

WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity

VTU technical seminar 8Th Sem on Scikit-learn

Custom RBAC - Can I Do That?

1. Matthew Edmonds (edmondsw) Lance Bragstad (lbragstad) Custom RBAC Can I do that?

2. What is RBAC? How does OpenStack implement RBAC? Customizing RBAC in your deployment The future of access control

3. What is RBAC? How does OpenStack implement RBAC? Customizing RBAC in your deployment The future of access control

4. RBAC is a method of regulating access to an object based on the roles of individual users

5. What is RBAC? Permissions are attached to predefined roles Roles are assigned to users or groups Roles are evaluated with request context

6. What is RBAC? Permissions are attached to predefined roles Roles are assigned to users or groups Roles are evaluated with request context

7. What is RBAC? Permissions are attached to predefined roles Roles are assigned to users or groups Roles are evaluated with request context

8. What is RBAC? How does OpenStack implement RBAC? Customizing RBAC in your deployment The future of access control

9. How does OpenStack implement RBAC? Attaching permissions to roles Assigning roles to users Evaluating requests

10. openstack role create manager

11. "identity:create_service": "role:manager"

12. policy.DocumentedRuleDefault( name='identity:create_service', check_str='role:manager', description='Create service', operations=[{'method': 'POST','path': '/v3/services'}] )

13. How does OpenStack implement RBAC? Attaching permissions to roles Assigning roles to users Evaluating requests

14. openstack role add --project development --user alice manager

15. How does OpenStack implement RBAC? Attaching permissions to roles Assigning roles to users Evaluating requests

16. What is RBAC? How does OpenStack implement RBAC? Customizing RBAC in your deployment The future of access control

17. Customizing RBAC in your deployment Finding policy settings Policy syntax Choosing which role to customize Selecting which policy to customize

18. Usually in /etc/<service>/policy.json Could be a yaml file CONF.oslo_policy.policy_file CONF.oslo_policy.policy_dirs

19. oslopolicy-sample-generator --namespace <service> --output-file policy-sample.yaml oslopolicy-policy-generator --namespace <service> --output-file policy-merged.yaml

20. Customizing RBAC in your deployment Finding policy settings Policy syntax Choosing which role to customize Selecting which policy to customize

21. "!" # none "@" # any "" # any "<context_attr>:<target_attr>" # match

22. "(...)" # grouping "not ..." # logical NOT "... and ..." # logical AND "... or ..." # logical OR

23. Customizing RBAC in your deployment Finding policy settings Policy syntax Choosing which role to customize Selecting which policy to customize

24. admin # everywhere

25. admin # everywhere Issues: 1. Hardcoded admin checks 2. Can operate outside assigned scope

26. _member_ # keystone Member # horizon

27. _member_ # keystone Member # horizon Issues: 1. Implemented as a catch-all

28. service # keystone ResellerAdmin # swift

29. service # keystone ResellerAdmin # swift Issues: 1. Qualify as “member” 2. ResellerAdmin permissions are hardcoded

30. <your_thing> # do whatcha wanna do

31. <your_thing> # do whatcha wanna do Issues: 1. Qualify as “member” 2. Hardcoded admin checks

32. Customizing RBAC in your deployment Finding policy settings Policy syntax Choosing which role to customize Selecting which policy to customize

33. Read the description (if available) Check the code Take a guess

34. Multiple APIs can be protected with one policy One API can be protected with multiple policies One API can call another API

35. PUT /v3/roles/{prior_role_id}/implies/{implies_role_id}

36. What is RBAC? How does OpenStack implement RBAC? Customizing RBAC in your deployment The future of access control

37. Registering defaults Documenting policies Deprecating policies Granular and consistent policy names Implementing system-scoped tokens Associating scope to policies Service tokens Defining default roles

38. Community goals Project tags

39. Who benefits from all this?

40.

41. https://goo.gl/B2QpYf https://goo.gl/dkV8Pn

Custom RBAC - Can I Do That?

Recommended

Recommended

More Related Content

Similar to Custom RBAC - Can I Do That?

Similar to Custom RBAC - Can I Do That? (20)

More from Lance Bragstad

More from Lance Bragstad (9)

Recently uploaded

Recently uploaded (20)

Custom RBAC - Can I Do That?